In recent years, communication technology has widely spread in terms of number of users and amount of use of the telecommunication services by the users. This also led to an increase in the number of different technologies and technological concepts in use.
Currently, there are several kinds of wireless networks providing an Internet access service, such as Wireless Local Area Networks (WLAN), General Packet Radio Service (GPRS) networks, and Third Generation (3G) networks. Hitherto, each of these networks has basically been regarded as a single and individual network. Hence, network functions of a respective one of the networks have not necessarily been compatible with those of other ones of the networks, and interworking between different networks has been difficult. Recently, there is a trend to integrate those heterogeneous networks to provide an integrated Mobile Internet service. The aim of such an integrated service is to provide an interworking of the networks which are involved in a common procedure initiated by a user, user terminal, and/or one of the involved network. Thus, the user and/or user terminal should not even notice that more than one network might be involved and just experience a seamless service, regardless of the underlying realization.
For the following, a roaming scenario is assumed in which a mobile terminal with so-called multi-mode interfaces for connecting to heterogeneous networks roams among different networks. The mobile terminal will attach to and will roam among these networks from time to time. Therefore, the mobile terminal is required to authenticate and authorize itself in these networks in order to identify itself to the network and to provide its entitlement for access to and/or services of the respective network. For this purpose, the mobile terminal may use credentials such as username/password or the like.
With regard to authentication and authorization, reference is made to an IP network. Nevertheless, for the purpose of the present invention, other packet-based protocols or even non-packet-based protocols are applicable. Any reference to a particular protocol thus serves as an example only.
There exist several authentication and authorization protocols and/or functions in IP—(Internet Protocol) based networks and in cellular mobile communication network. For example, IEEE802.1x is popular in WLAN access, whereas GSM (Global System for Mobile Communication) and GPRS networks use an authentication triple to authenticate mobile subscribers, and an Authentication and Key Agreement (AKA) procedure is used to achieve authentication in 3G networks. However, these protocols are each dedicated to a specific network and are not efficient for use throughout an integrated network environment.
Conventionally, a specialized network for performing such functions as described above is built up “on top of” the communication network, and is often referred to as AAA (authorization, authentication and accounting) network. The thus realized functions like system access and database look-ups can take place in specific and separate AAA nodes, but in practice, these nodes are often implemented within the nodes of the underlying communication network, which has the advantage of a joint use of hardware and thus reduced costs. Notwithstanding the hardware location, the AAA nodes offer a functionality which is distinct from other functionalities. Therefore, in the following specification a node is individually addressed as long as it provides a distinct functionality irrespective of its physical location or implementation.
The structure of an AAA network is usually in line with the structure of an underlying communication network like the Internet or a 3G network. More specifically, an AAA network servicing a domain-based communication network such as the Internet is also organized in a domain-based manner.
The above mentioned and several other networks are often structured in a hierarchical manner in terms of access sub-network and core sub-network. And even within such sub-networks a hierarchical structure is usually applied. In GSM, for example, base stations, base station controllers and mobile switching center represent different hierarchy levels. However, current AAA protocols such as RADIUS do not support such hierarchy.
As stated above, various kinds of networks and respective access and/or service provisioning technologies are evolving very fast. As a result, a common AAA framework is needed to help those network access vendors to administer different kinds of local customers or foreign customers.
In an integrated mobile Internet (cf. FIG. 1), a mobile terminal MT has a relation to a home AAA server AAAH in its home network, with which it is registered and which handles its AAA (authentication, authorization and accounting) issues. When the mobile terminal tries to get access to a network different from its home network, called a foreign network, a network access server NAS of the foreign network takes care of the mobile terminal's network access. A network access server, in this connection, stands for an access/attach network element, such as an access router in IP networks, a base station system in GPRS networks, and a Node B and a radio network controller (RNC) in UMTS networks. In order to authenticate the mobile terminal when it roams to or in a foreign network and/or a foreign domain, local AAA servers AAAL1, AAAL2 of that network and/or domain need to ask the home AAA server AAAH of the mobile terminal each time the mobile terminal performs a roaming operation, i.e. an initial attach to the foreign network or a handover between different network elements. This is due to the fact that an identification of a mobile terminal roaming to or in a foreign network can conventionally only be accomplished by the home AAA server of this terminal.
The problem is that a conventional procedure for authentication and authorization for a mobile terminal roaming to or in a foreign network comprises information transfers between the mobile terminal, the involved NASs, the involved AAAL(s), and the AAAH at each time the mobile terminal uses another NAS for network access.
Since time latency between different networks, i.e. between a local AAA server AAAL in a foreign network and the home AAA server AAAH in a mobile terminal's home network is rather long, a procedure as the one described above will cause a significant latency in network access whenever a terminal/user performs a roaming operation. This problem is even more distinct when a terminal/user frequently switches between heterogeneous networks. This may particularly be the case in networks with a rather small coverage area or a plurality of domains having a relatively small coverage area, e.g. in WLAN networks. Also in an area where 3G and WLAN networks overlap and complement each other, a mobile terminal frequently performs roaming operations among different access points and/or Nodes B. Thus, the conventional procedure for authentication and authorization of roaming terminals would be a big obstacle to seamless mobile communication service such as mobile Internet services.